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Abstract 

It is a Standard rcsult in thc thcory of quantum error-correcting codes triat no codc of lcngth n can 
' fix more than n/4 arbitrary errors, regardless of the dimension of the coding and encodcd Hilbcrt spaces. 

However, this bound only applies to codes which recover the message exactly. Naively, one might expect 
that correcting errors to very high fidelity would only allow small violations of this bound. This intuition is 
incorrect: in this paper we describc quantum error-correcting codes capablc of correcting up to [_{n — 1)/2J 
| arbitrary errors with fidelity exponentially close to 1, at the price of increasing the size of the registers (i.e., 

. the coding alphabet). This demonstrates a sharp distinction between exact and approximate quantum 

error correction. The codes have the property that any t components reveal no information about the 
. message, and so they can also be viewed as error-tolerant secret sharing schemes. 

' The construction has several interesting implications for cryptography and quantum information thc- 

. ory First, it suggests that secret sharing is a better classical analogue to quantum error correction than is 

classical error correction. Second, it highlights an error in a purported proof that verifiable quantum secret 
sharing (VQSS) is impossible when the number of cheaters t is n/4. In particular, the construction directly 
yields an honest-dealer VQSS scheme for t = [(n — 1)/2J . We believe the codes could also potcntially 
lead to improved protocols for dishonest-dealer VQSS and secure multi-party quantum computation. 

More generally, the construction illustrates a difference between exact and approximate requirements 
in quantum cryptography and (yet again) the delicacy of security proofs and impossibility results in the 
quantum model. 



X 1 Introduction 



Quantum computers are likely to be highly susceptible to errors from a variety of sources, much more so 
than classical computers. Therefore, the study of quantum error correction is vital not only to the task 
of quantum Communications but also to building functional quantum computers. In addition, quantum 
error correction has many applications to quantum cryptography. For instance, there is a strong connection 
between quantum error-correcting codes and secret sharing schemes [6], and that connection was combined 
with fault-tolerant quantum computation to perform multiparty secure quantum computations [9]. Many 
quantum key distribution schemes also rely on ideas from quantum error-correction for their proofs of 
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security. Thus, bounds on the performance of quantum error-correcting codes (QECCs) in various scenarios 
are relevant both to the foundations of quantum information theory and to quantum cryptography. 

It is an immediate result of the no-cloning theorem [24] that no quantum error-correcting code of length 
n can fix n/2 erasures: such a code would allow one to reconstruct two copies of an encoded quantum state 
from two halves of the full codeword, which would be cloning the state. This result is vàlid regardless of 
the dimension of the coding Hilbert space. Another well known result from the theory of quantum error 
correction is that a length n code can fix t arbitrary single position errors if and only if it can fix 2t erasure 
errors [11]. This follows immediately from the quantum error-correction conditions [11] 



(for basis encoded states {JV'i)} and correctable errors {E a }) and implies that no QECC of length n can fix 
more than n/4 arbitrary errors, regardless of the dimension of the coding and encoded Hilbert spaces. In 
contrast, a classical repetition code can correct up to \_(n — l)/2j errors. 

In this paper, we describe QECCs of length n that can correct arbitrary errors which affect up to 
t = l(n — l)/2j positions, with the guarantee that the fidelity of the reconstructed state will be exponentially 
close to 1. That is, approximate quantum error-correcting codes have the capability of correcting errors in 
a regime where no exact QECC will function. The scheme is also a secret-sharing scheme, in that no t 
positions reveal any information at all about the message. The result has a number of implications for both 
cryptography and quantum information theory: 

o It may be possible to build approximate QECCs which are highly efficient and yet useful in common 
error correction scenarios, improving on exact QECCs for the same scenarios. In most cases, exact 
reconstruction of the quantum state is not necessary, so a more efficient approximate QECC would be 
welcome. 

o The connection between correcting general errors and erasure errors breaks down for approximate QECCs. 
This suggests there is no sensible notion of distance for an approximate quantum error-correcting code. 

o The proof of the impossibility of verifiable quantum secret sharing (VQSS) with t > n/4 cheaters in [9] 
is incorrect, since it assumes that the í < n/4 bound on error correction extends to approximate quan- 
tum codes. In particular, the construction described here immediately yields an honest-dealer verifiable 
quantum secret sharing scheme which is secure for t = [(n — l)/2j. 

Similar constructions may allow verifiable quantum secret sharing (VQSS) with a dishonest dealer and 
secure multiparty quantum computation (MPQC) beyond previously known bounds. We have devised 
candidate protocols for these tasks allowing up to (n — l)/2 cheaters, but we do not present them here, 
as we have not yet proved their security and they are, in any case, quite complex. 

o Secret sharing may serve as a better classical analogue to quantum error correction than does classical 
error correction. The sharp difference we see between perfect and approximate quantum error correction 
parallels to some extent a similar difference between error-tolerant secret sharing schemes (explained 
below) with zero error and those with exponentially small error [19]. The codes here use such secret 
sharing schemes as a building block. 

o More generally, our results demonstrate that there can be a dramàtic difference in behavior between 
the exact performance of some quantum-mechanical task and approximate performance of the task, even 
when the approximation is exponentially good. A similar divergence between exact and approximate 
bounds has recently been seen in the context of private quantum channels [13]. These examples serve as a 
caution — especially vàlid in cryptography — that intuition about approximate performance of quantum 
protocols may be misleading. 
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The idea of using a randomized encoding algorithm is not new in QECC. In particular [4] have devised 
codes that can correct more (malicious) errors on average than any deterministic QECC. However, their 
model significantly differs from ours in one of two ways: they assume either that the errors occur at random 
or that the code is randomly agreed on by the coder and the decoder but is kept secret from the adversarial 
noise source. This model does not seem suitable in cryptographic applications such as VQSS and MPQC 
[9]. In our model no secret is shared by the coder and decoder. However, part of our code can be viewed 
as providing a way for the coder to information-theoretically encrypt the necessary secret. (This is possible 
since the adversary only has access to part of the transmitted state, though it could be any part.) 

A closer analogue to our codes is present in [15], which gave a pure-state encoding to approximately 
correct a specific error model more efficiently than a typical minimum-distance code. (Note, however, that 
the nature of the error model in fact precludes any exact quantum error-correcting code.) Closer yet is [21], 
which considered approximate quantum error correction in precisely our sense, and studied conditions for 
approximate error correction to be possible. They did not, however, present any specific codes or suggest 
that approximate QECCs might allow significant improvements in the number of correctable registers. 

Secret Sharing and Quantum Error Correction Classically, an (n, <i)-secret sharing scheme splits a 
secret into n pieces so that no d — 1 shares reveal any information about the secret, but any d shares allow 
one to reconstruct it. Such a scheme is already an error-correcting code, since it allows one to correct up to 
n — d erasures. Error-correcting codes need not be secret sharing schemes: a repetition code, for example, 
provides no secrecy at all. In the quantum world, the connection is much tighter. Cleve et al. [6] observed 
that any (perfect) QECC correcting t erasures is itself a secret sharing scheme, in that no t components of 
the code reveal any information about the message. This follows from the principle that information implies 
disturbance. Furthermore, most known (perfect) classical secret sharing schemes (and "ramp" schemes) can 
be directly transformed into (perfect) QECC's with the related parameters [22]. 

The quantum code construction described here illustrates a further connection to classical secret sharing. 
An error-tolerant secret sharing scheme (ETSS) can recover the secret even when t shares have been mali- 
ciously corrupted. Ordinary (n, cí)-secret sharing schemes are error-tolerant: such a scheme corrects n — d 
erasures and hence t = (n — d)/2 errors (this fact was first highlighted for Shamir secret sharing in [16]). If 
we also want any t shares to reveal no information, then we get t < d, and thus t < n/3. This is optimal 
for schemes with zero error probability. On the other hand, if one allows a small probability of mistaken 
error correction, then one can in fact get error-tolerant secret sharing schemes which correct í = [(re — l)/2j 
errors (see the Preliminaries for more details). Thus, the best classical analogue for approximate quantum 
codes are error-tolerant classical secret sharing schemes which correct any t errors with high probability. 
These have been studied more or less explicitly in work on multi-party computation [19, 7, 8]. 

It is worth noting that the construction of quantum error-tolerant secret sharing schemes has farther 
reaching implications than analogous classical constructions. Our approximate quantum codes correct a 
number of general errors for which no exact code would suffice, whereas the classical constructions can be 
better understood as reducing the number of erasures that can be corrected via secret sharing techniques. A 
straightforward classical repetition code already corrects up to [(n — l)/2j arbitrary errors exactly, so there 
is no need to resort to sophisticated techniques to achieve this with classical ECCs. 

Results Our construction produces quantum codes which encode £ qubits into re registers of ^ n ^_ 2 t) +Q( ng ) 
qubits each and which correct any t adversarial errors with probability 2~ s (the bound assumes log n < £ < 2 S 
for simplicity). This is done by transforming [[n, 1, re/2]] n QECCs on n-dimensional registers into better codes 
on 2°( n,s · ) -dimensional registers. The codes we construct are always decodable in polynomial time, since the 
only necessary operations are verification of quantum authentication and erasure correction for a stabilizer 
code, and since erasure correction for a stabilizer code only requires solving a system of linear equations. 
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2 Preliminaries 



Classical Authentication For our purposes, a classical (one-time) authentication scheme is a function 
h a {m) that takes a secret key a and a message m as input (and no other randomness) , and outputs a tag 
for the message. Typically, Alice sends the pair m,h a (m) to Bob, with whom she shares the key a. Bob 
receives a pair m', tag' and accepts the message as vàlid if and only if tag' = h a (m'). Bob will always accept 
a message that really came from Alice. The scheme has error e if, given a vàlid pair m, h a (m), no adversary 
Oscar can forge a tag for a different message m' with probability better than e. That is, for all messages 
m and all (computationally-unbounded, randomized) algorithms 0(), if o is chosen randomly from a set of 
keys JC, then: 

Pr [m',tag f <— 0(m,h a (m)) : tag' = h a (m')] < e. 

We make no assumptions on the rmming time of the adversary. If the message is i bits long, then one can 
find a polynomial time authentication scheme where both the key and the tags have length 0(log£ + log (^)) 
(see, e.g., [10]). 

For the remainder of this paper, we assume the reader is familiar with the bàsic notions and notation of 
quantum computing (see a textbook such as [17] if necessary). 

Quantum Authentication Intuitively, a quantum authentication scheme [2] is a keyed system which 
allows Alice to send a state p to Bob with a guarantee: if Bob accepts the received state as "vàlid", the 
fidelity of that state to p is almost 1. Moreover, if the adversary makes no changes, Bob always accepts and 
the fidelity is exactly 1. The following definition is from Barnum et al. [2]. We first define what constitutes 
a quantum authentication scheme, and then give a definition of security. 

Definition 1 ([2]) A quantum authentication scheme (QAS) is a pair of polynomial time quantum algo- 
rithms A and V together with a set of classical keys JC such that: 

o A takes as input an m-qubit message system M and a key k € /C and outputs a transmitted system C of 
m + t qubíts. 

o V takes as input the (possibly altered) transmitted system C and a classical key k € KL and outputs 
two systems: a m-qubit message state M, and a single (verdict) qubit V which indicates acceptance or 
rejection. The classical basis states ofV are called |acc), |rej) by convention. 

For any fixed key k, we denote the corresponding súper- operators by A^ and 

Bob may measure the qubit V to see whether or not the transmission was accepted or rejected. Nonethe- 
less, we think of V as a qubit rather than a classical bit since it will allow us to describe the joint state of 
the two systems M,V with a density matrix. Given a pure state E Hm, consider the following test on 
the joint system M, V: output a 1 if the first m qubits are in state \tp) or if the last qubit is in state |rej) 
(otherwise, output a 0). The projectors corresponding to this measurement are 

= \ip)(ip\ ® |acc)(acc| + Ifò <g> |rej)(rej| 

= (J A -|V>>(V[)®(|AOC>(AOC[) 

We want that for all possible input states \ip) and for all possible interventions by the adversary, the expected 
fidelity of V's output to the space defined by p[^ is high. This is captured in the following definition of 
security. 

Definition 2 ([2]) A QAS is secure with error e for a state \ip) if it satisfies: 
o Completeness: For all keys k G fC: Vk(A k (\ip) = <8) |acc)(acc| 
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o Soundness: For a súper- operator O, let psob be the state output by Bob when the adversary's intervention 
is characterized by O, that is: pBob = j^Ylk^(0(Ak(\i(')(ip\))) (this is the expectation over all vàlues of 
the key of the state output by Bob). The QAS has soundness error e for if for all súper- operator s O, 



A QAS is secure with error e if it is secure with error e for all states \tp). We make no assumptions on the 
runníng time of the adversary. 

In order to authenticate a message of l qubits, the authentication scheme of [2] uses a (classical) key 
of length 21 + 0(log(^)) random bits and produces a transmitted system of l + 0(log(^)) qubits. The 
large part 2£ of the classical key is used to the encrypt the quantum state, which is necessary for any 
quantum authentication scheme to be secure [2]. In the special case where Alice wishes to authenticate half 
of a maximally entangled state X^K)N)> i n f ac t only 0(log(^-)) classical key bits are necessarily [18, 12], 
effectively because Alice's message is already a maximally mixed state, making encryption redundant. 

Composability of Quantum Authentication We will need authentication protocols that have an ad- 
ditional composability property: If (Ak,Vk) is a QAS with error e for key k, then the concatenated protocol 



should be a QAS with error e for the key (ki, . . . ,k n ), with the understanding that the concatenated veri- 
fication protocol accepts if and only if all of the tensor components accept (i.e. the verdict qubit for the 
concatenated scheme is the logical AND of the individual verdict qubits). 

This sort of composability holds trivially for a classical authentication scheme, although the error may 
increase linearly with the number of compositions. We do not know if the same is true in general for quantum 
authentication schemes. However, the quantum authentication schemes of [2] are indeed composable, with 
no blow-up in the error parameter. This follows because they are constructed from stabilizer purity testing 
codes (PTCs), which clearly satisfy a corresponding property (if is a stabilizer PTC with error e, then 
®ILi is a stabilizer PTC with error e). 

Classical Secret Sharing and Error Correction A classical (n, (f)-secret sharing scheme [20] is a 
cryptographic protocol allowing a dealer to share a secret k into n shares (si, . . . , s n ) with n share-holders 
P±, . . . ,P n in such a way that any d — 1 Sj's contains no information about k whereas any d of those Sj's 
completely define k. We write (si, . . . , s n ) €r SS n! d(k), a random instantiation of a set of shares for secret 
k. The original construction of Shamir [20], based on Reed-Solomon codes, allows one to share an £-bit 
secret with shares that are each max {£, log n} bits. 

An important component in our construction is a classical secret sharing scheme which allows the honest 
players to reconstruct the secret even if the cheaters alter their shares. Specifically, consider the following 
game: an honest dealer takes a secret, splits it into n shares si, .., s n , and distributes the shares amongst n 
participants over secure channels (i.e., player i gets only Sj). Next, an adversary (adaptively) corrupts up to 
t = d — 1 of the players. Finally, all players send their (possibly corrupted) shares over secure channels to a 
trusted arbiter who attempts to recover the secret. The secret sharing scheme is called an error-tolerant secret 
sharing scheme (ETSS) and is t- error- correcting with error e if the arbiter can reconstruct the correct secret 
with probability 1 — e, regardless of the adversary's strategy. In other words, an ETSS is a secret-sharing 
scheme which also acts as an error-correcting code correcting any t errors with high probability. 

Error-tolerant secret sharing has been studied under the names "honest-dealer VSS with a non-rushing 
adversary" [8] and "non-interactive Las Vegas perfectly secure message transmission" [23]. "Robust secret 



Tr (P^PBob) > 1 - 6 
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sharing" [5] is a slightly weaker variant of the problem. Another variant, "honest-dealer VSS with rushing" 
is slightly stronger than ETSS; see [8] for a discussion of the differences. 

A number of constructions of ETSS schemes appear in the literature. When t < n/3, any ordinary 
secret sharing scheme is in fact an ETSS with zero error (since it is a code correcting 2t erasures and hence 
t errors). This connection was first pointed out by [16]. When t is between n/3 and n/2, one can adapt 
constructions from multi-party computation protocols [19, 7, 8]. We will use a simple construction for the 
case t = [(n — l)/2j from [8]. The dealer encodes the secret using an ordinary secret sharing scheme, and 
augments the shares by creating a fresh authentication key and tag for every pair of players: gets the 
key Oy and Pj gets the tag h aij (sj). If the adversary does not succesfully forge any authentication tags for 
keys held by honest players, then the arbiter can reconstruct the secret by accepting only shares for which 
at least t + 1 of the authentication tags are vàlid. 

The two schemes suggested above tolerate the maximum number of cheaters. On one hand, schemes 
with zero error can tolerate at most n/3 errors [19]. On the other hand, it is clear that no ETSS scheme can 
correct more than t = [(n — l)/2j errors: any n — t players must be able to reconstruct the secret alone (as 
the adversary could simply erase all its shares), and so we must have n — t > t. Alternatively, one can view 
this as an ordinary error correction bound: if the adversary could control half of the shares, he could make 
them all consistent with a value of his choosing (say 0) and force the arbiter to reconstruct 0. 

The main complexity measure of an ETSS scheme is the share size. For a given scheme, let CC(£, e, í) 
denote the maximum size (in bits) of a share held by any player. When t < n/3, the usual Shamir secret 
sharing scheme is a zero-error ETSS scheme with zero error and share size CC(£, 0, í) = £/(n — 3t) (for 
í > (n — 3í)logn). The errors can be corrected in polynomial time since the scheme encodes data in a 
Reed-Solomon code. For t = [(n — l)/2], the augmented scheme using authentication tags produces shares 
of size CC{£) = £ + 0(n log (^)) (when i > logn and log (i) > max {n,£}). 

Based on [5], Cramer et al. [8] present a more compact scheme for t = [(n — l)/2j with share size 
0(£-\-n+log (-)). Unfortunately, that scheme is not known to correct the errors in polynomial time. A second 
scheme, for t further away from n/2, generates shares of size CC(£, e, t) = íí(nlog (~)+£/(n — 2í)). The same 
work [8] also proved a simple lower bound on the share size of ETSS schemes: CC(£, e, t) = íí(log (7) + ( n l 2 t) )• 
This bound is tight for log (-) > n and n = 2t + 1. 

3 Definition of Approximate Quantum Codes (AQECC) 

An approximate quantum error-correcting code allows Alice to send a state p to Bob with the guarantee 
that if few enough errors occur in transmission, the fidelity of the state received by Bob to p will be almost 
1. 

Let q = p m and Q = p N for some prime p and integers m, N. We first define what constitutes an 
AQECC over Fq, and then give a definition of correctness. (Note that the definition makes sense over any 
alphabet, but we restrict to prime powers for simplicity). 

Definition 3 An approximate quantum error correcting code (AQECC) is a pair of quantum algoríthms 
E (encoder) and D (decoder) such that: 

o E takes as input a m-quqit message system M and outputs a (mixed state) codeword C of n quQits. 
o D takes as input the (possibly altered) transmitted system C and outputs a m-quqit message state M . 

In our constructions, both the encoding E and error-correction algorithm D run in polynomial time in 
the number of qubits of input. 

We will define the correctness of an AQECC on pure states, but it follows from a result of Barnum, Knill 
and Nielsen ([3], Thm 2) that the output of the AQECC also has high fidelity to an input which is mixed 
or part of an entangled state. 
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Given a pure state \ip) £ 7Ím, consider the following test on the system M: output a 1 if the first k 
qugits are in state \ip) (otherwise, output a 0). The projectors corresponding to this measurement are 

p* = MW 

Pi = i!ü-W>Q>\) 

We want that for all possible input states and for all possible interventions by the adversary, the expected 
fidelity of Bob's output to the space defined by P^ is high. This is captured in the following definition of 
correctness. 

Definition 4 An AQECC is t-correct with error e for a state if for all súper- operators O acting on at 
most t quQits (that is, O can be written as I n -t ® Ot f or some partition of the system into n — t and t 
quQits), 

Tr (P^pBob) > 1 - e, 

where psob is the state output by Bob when the adversary 's íntervention 1 is characterized by O, that is: 

p Bob = D(0(E(\iP) M))). 
An AQECC is t-correct with error e if it is t-correct with error e for all states |?/>). 

4 A length 3 quantum code approximately correcting one arbitrary error 

We start with a small example, from a well known code. The code c corrects one erasure error: 

|0) -» |000) + |111) + |222) 

|1) -> |012) + |120) + |201) (3) 
|2) -» |021) + |102) + |210) 

Let H\ ® H 2 ® i?3 be the coding space of the original code 

and let {Ak,Vt) be a quantum authentication scheme as constructed in [2]. 
We construct a three-component code d as follows: 

c» = {A kl {H x ),k 2 M), 

{A k2 {H 2 )MM), (4) 
( A k3 (H 3 ),k 2 ,k 1 ). 

Let H[ <8) H' 2 (£> be the coding space of the new code 

c» eH[®H 2 ®H' 3 

Note that k\ , k 2 , and are random classical strings which we use as keys for the quantum authentication 
protocol Ak- Thus, the H^s contain both quantum and classical information. Intuitively, we use the QAS 
to ensure that an adversary cannot change the quantum state of a single register without being detected; 
thus, we can transform general errors into erasure errors, allowing us to correct one faulty register out of 
three (no exact QECC can do this). Then we distribute the authentication keys among the three registers 
so that Bob can recover them. We must, however, do so in a way that prevents an adversary with access to 
a single register from either learning the key applying to her own register (which would allow her to change 
the quantum state) or from preventing reconstruction of the classical keys. 

1 We make no assumptions on the running time of the adversary. 
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Theorem 1 If Af~ is a QAS secure with error e then d is a 1-correct AQECC with error prob. poly(e), 
correcting one arbitrary error. 

We omit the proof of this theorem, as in Section 5 we will prové a more general result. 
4.1 Reconstruction 

In all cases, the reconstruction has two phases. First we reconstruct the classical keys and use them to 
verify and decode the quantum authentications. This may result in discarding one register, but at least two 
remain, which is enough for the erasure-correcting code to recover the original encoded state. Consider the 
following cases: 

o All ki's agree in H[, H 2 , H 3 : 

Recover ki from either H'pj ^ i, check that A^.^Hí) properly authenticates Hi. If one authentication 
fails, ignore the improperly authenticated Hi and reconstruct the vàlid codeword as c\ip) £ H\ <8> Hi ®H 3 
using the erasure recovery algorithm from both Hj,j ^ i. 

o Some H[ disagrees with H'- , H' h on both keys kh and kj : 

Discard register i, which must be corrupted. Recover kj from H' h and kh from H'j, and decode the authen- 
tications Akj(Hj) and Ak h (Hh) (which should both pass, since only one register can fail). Reconstruct 
the vàlid codeword as c\ip) € H\ ® H2 <8> H3 using the erasure recovery algorithm from Hj and Hh- 

o H[ and H'- disagree on key kh, while H' h agrees with everyone: 

Either register i or j is corrupt. Get ki and kj from H' h and check that A^Hí) properly authenticates 
Hi, and that Akj(Hj) properly authenticates Hj. If neither fails, reconstruct the vàlid codeword as 
c\ip) € H\ <g> H2 <8> H3 using the erasure recovery algorithm from Hi and Hj. If one fails, say A^Hi), 
then conclude register i is corrupt and recover kh from H'-, decode Ak h (Hh), and reconstruct the vàlid 
codeword as c\ip) € H± ® H2 ® H3 using the erasure recovery algorithm from Hh and Hj. 

Other cases cannot arise, since only one register can have been changed from the original encoding. 

5 A general n-component approximate QECC family correcting up to 
d — 1 < n/2 arbitrary errors 

In order to generalize the above construction to cases with n registers, we need to systemize the distribution 
of the classical keys. Again, it is helpful to imagine that we are trying to defeat an adversary with access to 
t < n/2 components of the code. Recali that we needed two conditions: First, the adversary should not be 
able to learn the classical key for her register, but the receiver Bob should be able to reconstruct the keys. 
Second, the adversary should not be able to interfere with Bob's reconstruction of the keys. 

These are precisely the properties of an ETSS. This suggests the following strategy for building a í-correct 
AQECC: encode using a distance t + 1 QECC, authenticate the n components using keys k = ki, k n , 
and then share k using a classical ETSS. The result could be considered to be a quantum ETSS (that is, 
an ETSS for quantum data). However, the ramifications of this construction for quantum data are more 
far-reaching than for the classical protocol. Not only does the quantum ETSS have potential cryptographic 
applications, but it demonstrates the possibility of exceeding the no-cloning bound on QECCs. Indeed, any 
QECC, exact or approximate, is in some sense a quantum ETSS — the ability to (approximately) correct 
erasures on a set of registers implies that an adversary with access to those registers can gain (almost) no 
information about the encoded data [21]. 

Let Q be a QECC that can correct d — 1 < n/2 arbitrary erasure errors: Q = [[n, k, d]]. Such a code can 
be constructed over sumciently large dimension Q; for instance, use a polynomial quantum code [1]. The 
coding space of Q is defined as 

Q\ip) G Hi ® H 2 ® H 3 ® ... ® H n . 
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We assume dim(ííi) = dim(iÏ2) = ••• = dim(iT n ). 

We construct a new code Q! over larger Hilbert spaces that can correct d — 1 < n/2 arbitrary errors 
except with small probability. Register i of the n-component code Q! contains the following: 

(A^iH&Si, [aijW + i)}, [h aj M)(Vj + i)]), (5) 

where we have used the classical authentication scheme (in systematic form): 

m, a — > (m, h a (m)), (6) 

which has error e, and (si, . . . , s n ) £r SS n! d(ki, . . . , k n ), a secret sharing scheme such that any d — 1 Sj's 
contains no information about (k±, . . . , k n ) whereas any d of those Sj's completely define (k±, . . . , k n ). The 
combination of classical secret sharing and classical authentication forms an ETSS [8], as described above; 
in fact, any ETSS would do. 

For instance, the n = 3 case of this construction is as follows: 

c'\ip) = ( A kl (H 1 ),s 1 ,[a 1 2,a 13 ],[h a21 (s 1 ),h a31 (s 1 )] )> 

( A k2 (H 2 ),S2,[a21,a23],[ha 12 (s2),ha 32 {s2)} ), (7) 

( A k3 (H 3 ),s 3 , [031,032], [h ai3 (s 3 ), h a23 (s 3 )} ) . 

Note that this is more complicated than the scheme in section 4. Instead of giving the keys ki to the other 
two players, we have instead shared them among all three players, so no single component has access to 
any of the three keys used for quantum authentication. In section 4, we were able to use the fact that the 
quantum register attacked by the adversary must be the same as the classical register attacked, so it is only 
necessary to protect information about one of the keys ki, not all of them. With the extra nexibility granted 
the adversary by being able to attack múltiple registers, it is more straightforward to protect all n keys with 
the classical ETSS. 

We are now ready for our main result. Let H[ H' 2 ® ... ® H' n be the coding space of the new code 

Q!\Í>) eH' x ®H' 2 ®...®H' n 

Theorem 2 If A k is a QAS secure with error e, Q is a non-degenerate stabilizer code with distance d, and 
h a (-) is a classical authentication scheme with error e, then Q' is an approximate quantum error- correcting 
code correcting d — 1 arbitrary errors with error at most 2n 2 e. 

5.1 Reconstruction 

The reconstruction procedure is similar to that for the previous protocol, but slightly more involved, since 
we must verify the classical authentications as well. Rather than breaking the procedure into different 
cases, in this version of the protocol, we can systematically go through four steps: First, verify the classical 
authentications and discard any invàlid classical share. Second, reconstruct the keys fej. Third, verify and 
decode the quantum authentications. Fourth, discard any invàlid quantum register and reconstruct the 
encoded quantum state. 

1. Verify classical authentications: 

For each Sj, consider it vàlid if at least half its authentications are correct according to aji,j 7^ i. Discard 
any share Sj which is not vàlid. 

2. Reconstruct the keys kf 

Up to d — 1 shares Sj can have been discarded in the first stage, so at least n — d+l > n/2 + 1 > d shares 
remain. Use these to reconstruct (k\, . . . , k n ). If the remaining shares are not all consistent with a single 
value of the secret, Bob aborts and outputs the quantum state |0). 
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3. Verify and decode the quantum authentications: 

Use the key ki to verify and decode the quantum authentication A^Hí). 

4. Reconstruct the encoded quantum state: 

Discard any registers which failed the quantum authentication, and use the remaining registers to recon- 
struct the vàlid codeword as c\ip) € H\ ® . . . ® H n using the erasure recovery algorithm. (At most d — 1 
have been discarded.) If the remaining registers are not consistent with a single quantum codeword, Bob 
aborts and outputs the quantum state |0). 

We prové this assuming the original QECC Q is a nondegenerate CSS code (which is sufficient to 
demonstrate that AQECCs exist correcting up to (n — l)/2 errors), but the proof can easily be extended to 
an arbitrary stabilizer code. 

Proof (of Theorem 2): If no errors occurred, the above procedure will exactly reconstruct the original 
encoded state. We need to show that it still approximately reconstructs the state when there are up to 
d — 1 arbitrary errors in unknown locations. Let B be the set of registers attacked by the adversary, and let 
A = [n] \ B be the registers held by honest players. 

The intuition for the proof is simple. With high probability, the authentication keys will be reconstructed 
correctly; conditioned on that event, all components of the QECC which pass the authentication test should 
be "close" to the encoding of \ip) restricted to those positions, and applying erasure correction should yield a 
state very close to Formalizing this intuition is more delicate than it would be if the data involved were 
classical. The quantum version of the statement "such-and-such event holds with probability 1 — e" is "the 
state of the system has fidelity at least 1 — e to the subspace such-and-such." The problem lies in the fact 
that the union bound from ordinary probability, which is the basis of the intuition outlined above, does not 
always hold in the quantum world. Our solution follows the lines of the "quantum to classical reductions" 
in [14, 9]. We define a set of "target" subspaces whose projectors commute (in other words, there exists a 
single basis of the state space in which all the projectors are diagonal), and show that the system lies close 
to each of these target subspaces. For commuting subspaces, the union bound does hold: if the system has 
high fidelity to each of the subspaces, then in fact it has high fidelity to their intersection. To complete the 
proof it is sufficient to show that for states in the intersection, the initial input \ip) is reconstructed exactly. 

The first step is to take care of the classical component of the encoding (composed of the shares Sj, 
classical authentication keys ajj and tags h aij (sj)). We rely on three observations. First, we may assume 
w.l.o.g. that the recovery procedure measures all the classical components in the computational basis before 
doing any processing; thus, the state received by the reconstructor Bob is a mixture (not a superposition) 
over different bit strings which he might be sent instead of the original ones. Second, the classical information 
held by the adversary is statistically independent of k = (fci, ...,k n ), the vector of quantum authentication 
keys. (This follows from the fact that any t of the shares s±, ...,s n are independent of the shared secret.) 
Third, any classical authentication tags changed by the adversary will be rejected by Bob with probability 
at least 1 — e. 

We define our first target subspace So by the statement "the keys k reconstructed by Bob are equal to 
the original keys." This statement can fail only if some tag changed by the adversary is accepted by Bob, 
and by a (classical) union bound this can occur with probability at most tne < n 2 e. The fidelity to Sq is 
thus at least 1 — n 2 e. 

We now look at what happens within the subspace So- Consider the following set of measurements 
which might be performed by Bob after verifying the authentications, but before applying erasure correction 
to the code. We assume for simplicity that the adversary holds the wires B = {1, ...,£}, and the wires 
A = {t + 1, n} are untouched. 

• For each register i € [n], |REjj)(REjj| measures whether or not Bob rejected the authentication of the 
i-th. quantum system (correspondingly, |ACCj)(ACCi| measures whether or not Bob accepts). 



10 



• We use the fact that the quantum error-correcting code is a nondegenerate CSS code. The code can 
be defined by a sequence of parity checks performed in two bases: the Standard computational basis 
and the rotated Fourier (or "diagonal") basis. We assume there are r independent parity checks in 
the rotated basis and s independent parity checks in the Standard basis. Denote by V the linear space 
of parity checks satisfied in the computational basis, and by W the corresponding set for the Fourier 
basis. If the QECC code has distance at least t + 1, then there is a basis v\,...,v s of V such that, 
for any i G B, position i is only in the support of Uj. Same for W: there is a basis of parity checks 
wi, ...,w r such that only Wi involves the i-th component of the code for i S B. We denote by 11^, 
H Wi the corresponding projectors (that is, Tl Vi preserves the supspace in which the parity check Vi is 
satisfied). 

The sets of projectors {|REJj)(REJj|} ie [ n ], {H^}^^ and {n^}^^ all commute with each other. The 
only possible interaction comes from the fact that the operators {11^} and {ü,^} operate on the same 
space, but they commute by definition of CSS codes. We may ignore projectors with indices i > t since they 
correspond to checks which will always be passed within the subspace Sq: Therefore the system will have 
fidelity 1 to the subspaces defined by {ü^} and {n Wi } for i > t. 

We would like to claim that, whenever Bob accepts the set R of registers, R satisfies all the parity checks 
restricted to R. We can quantify this as follows: for all i between 1 and t, the system should lie in the 
subspace defined by 

Pi = (U Vi Tl w . <g> |accí)(accí|) + (I <g> |rej í )(rej í |). (8) 

where / is the identity operator. The security of the quantum authentication scheme, and the fact that the 
adversary doesn't learn anything about the keys from the classical secret sharing, imply that the fidelity to 
each of these subspaces is at least 1 — e (note: this requires the quantum authentication scheme to be secure 
even when composed up to t times). For 1 < i < t, we can define the subspaces S\, . . . ,St corresponding to 
the projectors P±, . . . , Pt- By a union bound, the state of the whole system has fidelity at least 1 — n 2 e — te 
to the intersection S = C\l =Q Si. In words, S is the space of states for which Bob reconstructs the correct 
authentication keys, and for which the set of registers accepted by Bob satisfies all the parity checks restricted 
to that set. 

It remains to prové that within the space S, Bob will always recover the input state exactly. We 
may assume w.l.o.g. that Bob will measure all n of the registers which indicate whether the authentication 
failed or not in the basis {|rej), |acc)}. Thus, the global state may be seen as a mixture over possible sets 
of registers accepted by Bob. If Bob also performs the measurements Pi, he will, with probability at least 
1 — n 2 e — te, find that the state actually satisfies all parity checks restricted to the set R of registers he 
accepts. 

When this occurs, it then follows that applying erasure correction to R yields the same result as if we 
had used only registers untouched by the adversary. For a detailed proof of this fact, we refer the reader to 
Proposition 2.2 in [9]. The intuition behind it is straightforward: Suppose s registers are discarded, leaving 
up to í — s registers attacked by the adversary. But because s + (í — s) < d, the QECC can both correct s 
erasures and detect an additional t — s errors, so the adversary is unable to reach any state in S except the 
correct input state \ip). We can conclude that Bob recovers a state p with fidelity at least 1 — 2n 2 e to tp, as 
desired. □ 

5.2 Specific Constructions and Parameters 

As mentioned above, it is natural to instantiate our construction using the polynomial codes (quantum 
Reed-Solomon codes) of Aharonov and Ben-Or [1]. These are nondegenerate CSS codes over an alphabet of 
size q whenever q is a prime power and greater than n — 1. For any t < n/2, one can find a [[n, n — 2t,t + l]] q 
code (i.e. which encodes (n — 2í)logg qubits and has distance t + 1). This means that to encode l > n 
qubits, each component of the code will consist of £/(n — 2t) qubits. The components of the approximate 
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QECC then consist of £/(n - 2í) + 0(log (±)) qubits and CC{2l/(n - 2t) + 0(log (§)), e, i) bits (where CC() 
is the share size of the classical ETSS). 

For 2í < n— 1, we can modify the ETSS above to get shares of size O (n log ( | ) ) +^/ (n - 2t) . Putting these 
constructions together, we can get quantum codes where each register contains 0(n(£/(n — 2t) + log(^))) 
qubits. 

An immediate improvement can be made to these parameters by noting that, for any distance d non- 
degenerate stabilizer code, including the polynomial codes used here, the state of any d — 1 registers is 
maximally entangled with the remaining registers. Therefore, as noted in section 2, a much shorter classical 
key sufnces for quantum authentication. In particular, a classical key of length 0(log^ + log (|)) is sufficient 
to authenticate t EPR halves. This leads to an approximate quantum code where each component consists 
of £/(n - 2t) + 0(log(|)) qubits and CC(nlog e, í) bits (when e < l/i). This gives a total size of 
^/(n-2í) + 0(nlog(i)). 

Corollary 3 (to Theorem 2) For t < n/2, there exists an approximate QECC correcting any t errors 
with error e, where each component consists of 0(£/(n — 2t) + nlog(|))) qubits. When n = 2t + 1, we get 
components of size Oil + nlog (7)). 

6 Discussion and open qüestions 

We have constructed quantum error correcting codes that are capable of correcting general errors when up 
to half the registers are affected. This contrasts considerably with known upper bounds that limit a QECC 
to correcting errors on less than one-fourth of all registers. The price for being able to violate this bound is 
that we only correct the state approximately; however, we do so with exponentially good fidelity. 

In general, extrapolating from exact performance of a quantum task to approximate performance is 
dangerous, but possible. Factors of the dimension may arise, and since the dimension is exponential in the 
number of qubits, dramatically different behavior becomes possible. This phenomenon is likely behind the 
performance of our codes, and suggests that high-fidelity AQECCs are only possible when working in high 
dimension. 

Our codes instead consist of a small logical subspace and large registers containing both quantum and 
classical information. As such, they are not so useful for practical problems in quantum error correction, but 
do serve as an interesting in-principle demonstration of the potential power of approximate error correction. 
In addition, they act as quantum ETSS schemes, and may be a useful stepping stone towards building VQSS 
and MPQC with a large number of cheaters. Any such construction must be more complex, however, to take 
account of dishonest senders and receivers, and to allow the participants in the protocol to alter a state in the 
correct way without altering it in any unapproved manner. Indeed, it remains possible that the prior bound 
of n/4 cheaters does in fact restrict VQSS and MPQC; however, we have shown here that the existing proof of 
that bound does not apply to VQSS and MPQC protocols which only guarantee approximate reconstruction 
of the quantum state. 
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